SSL link encryption

Background information

OceanBase supports Secure Sockets Layer (SSL) encryption for database connections to improve security. SSL encrypts network connections at the transport layer. This protects your data in transit. After you enable SSL, you can require all clients to use SSL for access.

TLS version guide

Transport Layer Security (TLS) is a widely used transport-layer security protocol. It ensures privacy and data security for communications over the internet. The TLS protocol has many versions. The following table describes TLS support for different combinations of JDK and MySQL Connector/J versions.

Procedure

1. Log on to the OceanBase Management Console .

2. In the navigation pane on the left, click Instance List.

3. In the instance list, find the target cluster instance and click its name to go to the Cluster Instance Workspace page.

4. In the navigation pane on the left, click Security Settings.

5. Click the SSL Connection Encryption tab. You can perform the following operations.

   1. Turn on the SSL Connection Encryption switch to enable SSL connection encryption. The process takes about 3 to 5 minutes. After SSL connection encryption is enabled, some versions allow you to enable Force SSL Connection. If the Force SSL Connection option is not displayed, the current version does not support this feature.

      Note

      Enabling Force SSL Connection blocks non-SSL connections. Existing non-SSL connections will become invalid. Make sure to switch your connection method.

   2. Click Download CA Certificate to download the certificate.

      The downloaded file is a compressed package that contains the following three files:

      • p7b file: Used to import the CA certificate on Windows systems.

      • PEM file: Used to import the CA certificate on other systems or for other applications.

      • JKS file: A Java KeyStore (JKS) file. The password is `OceanBase`. This file is used to import the CA certificate chain in Java programs.

      Note

      To use the JKS certificate file in Java with JDK 7 or JDK 8, you must modify the default security configuration. On the application host, edit the jre/lib/security/java.security file and change the following two settings:

      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
      jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

      If you do not modify the JDK security configuration, the following error is reported. Other similar errors are also typically caused by the Java security configuration.

      javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

   3. Click Update Validity Period to refresh the SSL Certificate Validity Period.

      

   4. Turn on the Auto-update SSL Certificate Validity Period switch. When this feature is enabled, the certificate automatically renews 7 days before it expires. Each renewal is valid for 360 days.

      

FAQ

If your Java program fails to connect and reports the error javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate), you can resolve the issue in one of the following ways:

• Specify the TLS version in the URL parameters of the JDBC connection string. For example, specify `enabledTLSProtocols=TLSv1.2`.

• Downgrade the JDK version to one earlier than 1.8.0_291.